Security
We take security very seriously. Losing our source code or customer data would be a disaster.
This outlines our policies for protecting ourselves and not becoming 'another one of those stories'.
2FA - two-factor authentication
We enable and enforce 2FA for all services we use that have it available. Our recommended method is a TOTP app on your smartphone.
Time-based one-time password (TOTP)
We strongly recommend using a time-based one-time password (TOTP) application to configure 2FA. TOTP applications are more reliable than SMS, especially for locations outside the United States. TOTP apps support the secure backup of your authentication codes in the cloud and can be restored if you lose access to your device.
A time-based one-time password (TOTP) application automatically generates an authentication code that changes after a certain period of time. We recommend using cloud-based TOTP apps such as:
Services
- Google: Google provides many 2FA options that
may be used together to improve the security of your account All of the
options can be found on
Google's 2FA setup page:
- Time-based one-time password (TOTP): this option requires a TOTP app to be installed on your smartphone. N.B. Even though the Google instructions suggest Google Authenticator, this is not recommended as you won't be able to transfer your TOTP keys to a new phone if you lose it
- Google prompts: this option also requires access to your smartphone.
- Backup codes: this is a more extreme option used for the recovery of your account (not quite a 2FA method). By enabling this, you may recover access to your account even if you happen to lose your smartphone. To do so, generate your backup codes and store them in a safe place. You may also choose to store them in a password manager application such as 1Password.
- GitHub: GitHub also provides several 2FA and recovery
options. Please enable all feasible options:
- TOTP Authenticator app: head over to GitHub's 2FA setup page and set up TOTP 2FA with your preferred authenticator app 1Password, Authy or LastPass Authenticator (check the links for specific instruction on how to proceed).
- Recovery codes: not a 2FA method, but a recovery option. You can enable this option and download and store all recovery codes in case you lose access to your smartphone or authenticator app.
- Sentry: Sentry provides most of the options that the
other apps do. You can find all security options at
Sentry's security page and
Add
the desired Two-Factor Authentication or recovering methods. Again, we strongly recommend you to use a TOTP application under the Authenticator App section. - Stripe - use TOTP
- Xero - use TOTP
Encrypted hard drive
Always encrypt your work computer hard drive so if it's ever lost or stolen the contents are safe: